Data visibility on type that does not mixes AclEnabled


#1

I’ve a type BasePhysicalMeasurementSeries that’s not does not mixes AclEnabled, yet one of my users with restricted data access cannot see or fetch any instance of this type.

This means that creating an instance of AclPrivilege is useless, but then how I can give this user access to instances of BasePhysicalMeasurementSeries?


#2

It seems the problem can be fixed with an actionCondition in the user Role, e.g.

{
  "id": "App.Role",
  "name": "The App Role",
  "permissions": [
        ...
  ],
  "actionConditions": [
    "MeasurementSeries::*:(servicePoint.facility.denormParents.from.Facility.billingAccounts.memberAccounts.member.id == _context.userName)",
     ...
  ]
},

#3

This is horrible please don’t do this…

When you say “BasePhysicalMeasurementSeries is not acl enabled but my user cannot fetch the data”

A good way to answer the why of that question is to run the command:

Authorizer.actionAuthorization(“BasePhysicalMeasurementSeries”, “fetch”, “THE_USER_NAME”, ‘the_tenant’, ‘the_tag’)


#4

He’s authorized to do fetch on BasePhysicalMeasurementSeries. I realized the existence of actionCondition but with a wrong condition.
@rileysiebel do you recommend to completely remove the actionCondition and not correcting the expression? But then he will see every measurement.